Will hacking lead to an Australian-style legal system in the UK?

By 30 January 2023Blog

If the Australian example is anything to go by, It won’t be long before UK skyscrapers have law firms’ names in bright lights at the top like their Australian counterparts. That’s because New South Wales is the most litigious place in the world, with ‘no win no fee’ law firms and funding for litigation driving a thriving claimant culture. As a result, recent legislation has placed a cap of 30% on returns for litigation funders. For UK firms, it’s more than 35%.

The recent spate of data breaches and cyberattacks in Australia is triggering class action lawsuits. Optus, Australia’s second largest telecommunications provider, has been called to account, and now the private health insurer Medibank is facing litigation from three class action firms after ransomware hackers caused a major data breach.

British Airways: A British test case

The UK is some way behind Australia in class actions but a recent British Airways (BA) settlement following the data breach of 420,000 BA customers in 2018 could signal what is to come.. In the insurance industry we say there is a tail in liability claims, as it can take several years for claims to play out through the courts and ultimately be settled. The BA case just shortened that tail and gave it added sting. This case has several firsts:

• One of the largest GDPR fines to be issued by UK regulators: GBP183m (USD249m)
• The fine was reduced to GBP20m (USD27m) to reflect the impact of Covid-19
• One of the first major successful collective action settlements in the UK
• Of the 420,000 impacted customers, 17,000 individuals are involved in the action, representing a 4% take-up rate
• Participants in the collective action didn’t need to show pecuniary/financial loss as emotional damage/inconvenience was sufficient
• BA reportedly settled for GBP2,000 per impacted individual leading to a GBP34m (USD46m) loss from the first wave of collected actions.

The last point is of particular interest and possibly the start of the ‘Australisation’ of UK society. The law of costs in England and Wales is typical of common law jurisdictions, whereas in the United States each party pays their costs even if they win or lose. In the UK the losing party must pay the costs of the other party. This has now developed into a choice for organisations when faced with a class action legal battle and legal costs and damages on both sides mounting to circa GBP5,000 per individual. With the offer of a swift settlement of GBP2,000 rather than the uncertainty of a five times greater loss, it’s understandable why BA was so fast to settle.

It started with one…now the gates are open

There a number of different claims an individual can bring in the UK against an organisation for compensation, and the landmark case of Vidal-Hall v Google, Inc. [2015] significantly changed the legal landscape for non-pecuniary damages as a result of a breach of data. This case, along with BA cases, further enables well-funded law firms to push through more cases.

In Australia, people are encouraged to bring claims for minor matters which may have passed by in other jurisdictions. Law firms have become all powerful and the Australian legal system has reached the point where so many claims are in progress that judges are sometimes individually handling 800+ cases at any one time. When you compare the proposed BA settlement with compensation of up to AUD20,000 per person in the Australian system, UK companies may well experience significantly more liability in the future.

Insurance as a last protection

The landscape for cyber insurers could not be more challenging, with countless ransomware claims impacting profitability and threatening the sustainability of business models. It will lead to further challenges if the other part of a cyber insurance policy – the cyber liability section – begins to be used in fast settlements like the BA case.

The challenge to business is to ensure the high standards for a textbook breach response, which arguably BA had provided. But, ultimately, it was the ‘numerous measures BA could have used [but didn’t] to mitigate or prevent the risk of an attacker accessing the BA network’ that resulted in the lack of defence to both the regulator and the civil actions.

Lesson learnt

Law firms are going to target firms with big pockets, but hackers are indiscriminate and firms of all sizes will experience cyberattacks if basic cyber hygiene is not followed. Given that it’s so easy to prevent half of most unsophisticated cyberattacks by using multi-factor authentication and suitable data backups, it’s surprising that more firms are not giving it greater attention. Regardless of cyber security, one thing is certain: in future we’ll see more names of law firms on our skyscrapers as a result of social inflation.

Written by Simon Gilbert – Founder & Managing Director.

en_GBEnglish (UK)